A British teenager who crashed his former employee’s email server with five million emails walked free from court after a judge ruled the boy had not broken the law.
The defendant, who for legal reasons cannot be named, was charged under Section Three of the Computer Misuse Act 1990. But the act does not mention denial of service (DoS) attacks.
District Judge Kenneth Grant of Wimbledon Magistrates Court accepted the defense argument that sending millions of emails did not constitute an unauthorized modification of the computer system as it was set up to receive emails.
"In this case, the individual emails caused to be sent each caused a modification which was in each case an 'authorized' modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by section three (of the CMA)," said Judge Grant.
Some people in the security community said this latest ruling meant it was time to overhaul the act.
"The Computer Misuse Act is 15 years old and is out of touch with the realities of computer crime, whether thoughtless or organized. The Act was passed long before the arrival of denial of service attacks, or the broadband networks over which they run," said Mark Hanvey, chief security officer at Cable & Wireless.
Hanvey said his firm had seen DoS attacks rise by 50 percent over the last six months and called for these attacks to be included in future regulations.
"Distributed denial of service attacks should be covered by the Act. The current weaknesses of the act run the risk of giant server farms being set up quite legally to carry out such attacks," said Hanvey.